Firewalld Blocking SSH between Clients on WireGuard LAN
While firewalld is generally an excellent tool for configuring the firewall on a Linux box, for this particular use case -- forwarding traffic for other hosts -- it's kind of a pain in the neck to use. I would suggest turning it off on your server, and just using iptables (or nftables) directly.
If you really want to use firewalld, however, try this (as root):
1. Create a custom zone for your WireGuard interface that accepts all traffic:
firewall-cmd --permanent --new-zone=mywg
firewall-cmd --permanent --zone=mywg --set-target=ACCEPT
firewall-cmd --reload
2. Add "rich" rules to the zone to reject inbound connections from WireGuard to the server itself:
firewall-cmd --zone=mywg --add-rich-rule='rule family="ipv4" priority="30001" protocol value="tcp" reject'
firewall-cmd --zone=mywg --add-rich-rule='rule family="ipv4" priority="30002" protocol value="udp" reject'
firewall-cmd --zone=mywg --add-rich-rule='rule family="ipv6" priority="30003" protocol value="tcp" reject'
firewall-cmd --zone=mywg --add-rich-rule='rule family="ipv6" priority="30004" protocol value="udp" reject'
3. Add "direct" rules to allow forwarding of IPv4 SSH connections between other WireGuard hosts, and reject everything else:
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT
firewall-cmd --direct --add-rule ipv4 filter FORWARD 1 -i wg0 -o wg0 -m state --state NEW -p tcp --dport 22 -j ACCEPT
firewall-cmd --direct --add-rule ipv4 filter FORWARD 2 -i wg0 -j REJECT
firewall-cmd --direct --add-rule ipv6 filter FORWARD 0 -i wg0 -j REJECT
4. Bind the zone to your WireGuard interface and save your changes:
firewall-cmd --zone=mywg --add-interface=wg0
firewall-cmd --runtime-to-permanent
You can add more IPv4 direct rules between 0 and 2 (renumbering the REJECT
rule to be last) if you want to allow other types of traffic between your WireGuard hosts (or just replace rules 0 and 1 with a single rule like -i wg0 -o wg0 -J ACCEPT
if you want to allow the server to forward any and all traffic between your WireGuard hosts).
See Hub and Spoke section of this How to Use WireGuard With Firewalld article for a full explanation (Host C is your server in this article).